Data Privacy and the Private Right of Action
Several comprehensive privacy bills in the various state legislatures include private rights of action. It is often a dealbreaker for those attempting to pass privacy legislation. Some legislators are vehemently for the private right of action. Some are adamantly opposed.
The ‘private’ right of action in this context isn’t related to privacy, but to a private citizen – someone without an official role. A private citizen is in contrast to an official, such as an attorney general. Typically, privacy laws leave enforcement of the laws to officials such as attorneys general, district attorneys, and agencies.
The private right of action democratizes the enforcement of the law. A privacy law in one state may only allow enforcement through the attorney general’s office, so really just one entity with the capability of enforcing the law.
A state that has a private right of action, on the other hand, could potentially open up the class of possible enforcers of the law to every single person in the state. From one entity to millions of entities, just like that, with a private right of action.
Figuratively that represents hundreds of thousands more sets of eyes watching companies to make sure they aren’t abusing the privacy rights of consumers. Sticking with the metaphor, on average the quality of these eyes will not be as good as the quality of the eyes in the attorney general’s office. Many consumers don’t worry too much about their privacy and even if they did, they wouldn’t know how to monitor a company’s use of their personal information.
However, some of the sets of eyes will be quite sharp, they may belong to privacy professionals or privacy hobbyists who know what to look for and how to detect abuses of privacy rights. Furthermore, the sheer quantity of eyes observing companies will increase the chances that any malfeasance by the companies will be detected. This has been demonstrated with the democratization of astronomy, where volunteer stargazers have catalogued millions of celestial objects.
The democratization effect has already been proven in the privacy sphere in the United States with the Biometric Information Privacy Act (BIPA). The BIPA is a law in Illinois that allows consumers to enforce their privacy rights (related to their biometric information) with a private right of action. BIPA has led to many multi-million dollar settlements.
That’s right, multi-million dollar settlements. That’s another aspect of the private right of action. Not only are more people capable of enforcing privacy laws, but those same people have motivation to do so: multi-million dollar settlements. Multi-million dollar settlements are due to class-action lawsuits. Typically, when a company violates the law in processing one consumer’s personal information, they haven’t specifically targeted that consumer, it’s usually a business practice and so would apply to many, many more consumers. Assuming that a class is approved, the plaintiff class can sue the defendant company for the privacy rights violations committed against the class and if the suit prevails to an award of damages or produces a settlement, the members of the class get compensated for the privacy harms they suffered by the behaviors of the defendant company.
So, consumers generally like the private right of action and businesses generally hate the private right of action. It is available for data subjects in the European Union under the General Data Protection Regulation. It is available in California, in the specific context of a data breach, but otherwise, the typical consumer can’t enforce their privacy rights in California.
There are several states proposing privacy bills that include a private right of action. The private right of action doesn’t change the obligations of compliance, but does increase the urgency and importance of compliance.
As the privacy landscape becomes more perilous its important to have privacy compliance solutions that are reliable. That’s where Clarip comes in. Clarip helps companies with automated data subject request fulfillment, data mapping, website scanning, consent management, vendor management, and much more. Visit us at www.clarip.com or call us at 1-888-252-5653 to learn more.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com
Other Articles on this Topic:
Privacy by Default: The practical application of simplified privacy
Privacy by Design: Privacy throughout the engineering process
DSR Fulfillment Deadlines: Response time for the various data privacy laws
Right to Delete Personal Information: Why your enterprise should be concerned today!
US Data Privacy Law High-Water Mark: Applicability
US Data Privacy Law High-Water Mark: Data Exemptions
US Data Privacy Law High-Water Mark: Entity Exemptions